[Snort-users] Pass rule

Martin Roesch roesch at ...1...
Tue Jul 25 01:50:57 EDT 2000


Did you use the -o command line option?  Try that....

   -Marty

Guy Bruneau wrote:
> 
> Hello,
> 
> I have tried to used the pass rule and it doesn't appear to work. For
> example, I have the following alert:
> 
> [**] IDS247 - MISC - Large UDP Packet [**]
> 07/24-19:17:32.790650 10.14.71.92:4361 -> 224.0.64.255:21626
> UDP TTL:32 TOS:0x0 ID:12831
> Len: 1144
> 
> I would write the following rule:
> 
> pass udp 10.14.71.92 any -> 224.0.64.255 any
> 
> but snort isn't ignoring it. It continues to log it. Is there anything wrong
> with this rule? If so, how should it be written?
> 
> Thanks,
> 
> Guy
> 
> --
> Guy Bruneau
> Ma page est a/My page at: http://www.penguinpowered.com/~bruneau
> 
>   _______________________________________________ Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Martin Roesch                      <roesch at ...2...>
Core R&D                         http://www.hiverworld.com
Hiverworld, Inc.       Continuous Adaptive Risk Management




More information about the Snort-users mailing list